Vista Group Policy deep mining is a task

Some people refer to the Group Policy as a "big master" in Windows ". Compared with XP, the Group Policy Function in Vista is more powerful and more closely integrated with the system, which is more like the "big internal manager" in Vista ". You can use group policies to complete seemingly difficult tasks in Vista. Next we will explore deeply to uncover the inside story of the Vista group policy and implement the extraordinary task.

　　1. Hide and restrict disk partitions to protect data

Some data is stored on PCs and public computers, which sometimes do not have to be known to others. In particular, computers in office scenarios are usually shared by multiple people because of their open locations, and personal computers are sometimes used temporarily by others. All these challenges the confidentiality and security of user data stored in them, what should I do?

In fact, we do not need third-party software in Vista to easily implement data protection by hiding or limiting disk partitions. The following describes how to restrict partition C. The procedure is as follows:

Step 1: In the "run" dialog box of the Start Menu, enter "Gpedit. msc, open the "Group Policy" setting window, in the "Group Policy" setting window, choose "Local Computer Policy> User Configuration> management template> Windows Components> Windows Resource Manager.

Step 2: In the settings window on the right, select "prevent access to the drive from my computer", right-click the option, and select "properties ", the "prevent access to drive properties from my computer" window appears. Three options are available: "Not Configured", "enabled", and "disabled ".

Step 3: After "enabled" is selected, the sink list of the selected drive will appear below. If you want to restrict the use of a drive, just select the drive. For example, to restrict the use of drive C, select "restrict drive C only. If you want to disable all drives, including optical drives, you can select "restrict all drives ". (Figure 1)

　　

Figure 1 prevent my computer from accessing the drive

Tip: In "Windows Resource Manager", there is also the policy "hide these specified drives in" My Computer ". You can use this policy to specify the drive, however, this policy can be broken through the IE browser. in the address bar, enter C:, press enter, and the hidden C disk partition can also be accessed. In contrast, the above restrictions are more thorough. (Figure 2)

　　

Figure 2 set the effect

Extended: You can choose to hide the C partition or all partitions through the above method. How can you hide a specific partition, such as the E disk partition? You can modify the configuration file of the Vista Group Policy. The file is stored in the path "% windir % yydefinitions". We need to modify the file "WindowsExplorer. adml "and WindowsExplorer. admx configuration files.

Step 1: Open the WindowsExplorer. adml file in notepad and find the part that contains the following code:

Only partitions A, B, C, and D are restricted.

Only partitions A, B, and C are restricted.

Only limit partitions A and B

Restrict all partitions

For example, to hide the E partition, add the following code. Save and exit after modification:

Only limit partition E (figure 3)

　　

Figure 3 partition Restriction

Step 2: use NotePad to open the WindowsExplorer. admx file and find

"

The former is used to restrict access to partitions, and the latter is used to hide partitions. For example, if we use partition E as an example, add the following code at the two locations, "16" indicates the decimal code of the E partition: (Figure 4)

　　

Figure 4 options for adding an edisk

Step 3: replace two important files. Due to access control permissions, we first need to modify the access permissions of the two files, open the Properties dialog box, and switch to the "Security" tab, click the "advanced" button to change the owner and set the owner. After obtaining the permission, you can complete the file replacement operation.

Now, you can select "enabled" in the "prevent access to the drive from my computer" dialog box of the Group Policy.

2. Pass the USB flash drive

USB flash drives are very popular, and many mobile phone functions also include USB flash drives. It is very easy to copy some files from others' computers, this poses a great threat to information in the computer. How can we make the system only use the specified USB flash drive or mobile hard drive?

In fact, we don't have to worry about this issue in the Vista system. We can use group policies to complete this task. You can disable all USB storage devices and allow the system to use only the specified USB flash disk.

Step 1: insert your USB flash drive into the Vista system so that the system can use the USB flash drive normally. Then, go to the control panel and double-click the Device Manager ", expand "portable devices" in it to see your USB flash drive.

Step 2: Right-click on the top and select "properties". In the displayed "properties" window, click the "details" tab, then select "hardware ID" in the "property" drop-down box of the device. The following "value" will show a string. This is the hardware ID of your USB flash drive. copy it and save it.

Step 3: copy the hardware ID of "USB large capacity storage device" in "general serial bus controller" and expand the "general serial bus controller" list in "Device Manager, find the "USB high-capacity storage device" and click the "details" tab in its "properties" window. Copy the hardware ID and save it.

Step 4: Find the hardware ID of the USB flash drive and implement it through the Group Policy. "Start> Run" and enter "Gpedit. msc opens the Group Policy window, and expands "Computer Configuration> management template> system> device installation restrictions ", double-click "Prohibit installation of devices not described by other policies" on the right, select "enabled" in the pop-up window, and then click "OK, set it to disable the USB device described in policy settings. (Figure 5)

　　

Figure 5 Disable other mobile storage devices
3. prevent malicious Shutdown

In enterprises and institutions, there are often some good people or scammers who can peek at the information on others' computers. Although we can lock the computer through Windows + L, we can prevent other people from spying, however, there is another "shut down the computer" on the locked page. Although others cannot tamper with the machine, they can shut down the computer. If someone who encounters a good thing clicks "shut down the computer, early work is likely to be overwhelmed. Therefore, it is necessary to add a lock to "shut down the computer. You can easily complete such tasks through group policies.

Click Start> Run. In the displayed dialog box, enter Gpedit. msc, and press enter to open the Group Policy Editor. Expand the "Computer Configuration> Windows Settings> Security Settings> Local Policy> Security Options" branch, and find the "shutdown: Allow shutdown before Logon" option in the right pane, double-click. In the displayed Properties dialog box, set the attribute to "disabled". Click "OK" and close the Group Policy Editor. (Figure 6)

　　

Figure 6 prevent malicious Shutdown

　　4. account-related

(1). Rename the Guest account

In the working group environment, you need to enable the guest account for network sharing, which poses a certain security risk because attackers can intrude into the system through the default guest account, renaming a guest account is a good method. Because it is the default account of the system, it cannot be changed normally. We can use group policies.

"Start> Run" and enter Gpedit. choose "Local Computer Policy> Computer Configuration> windows Settings> Security Settings> Local Policy> Security Options", and double-click the "Rename Guest user" option on the right ", enter the name of the new guest user. (Figure 7)

　　

Figure 7 change the name of the guest user

(2). Guest can also be remotely shut down

In Windows 2000/XP, only members of the Adminstrators group can remotely shut down the computer by default. This policy is designed for system security and continues to Windows Vista, but sometimes we use a Guest account to log on to a computer in a LAN for operations, and we need to grant the guest user the permission to remotely shut down the machine. How can we achieve this? The procedure is as follows:

Step 1: Run Gpedit. choose "Local Computer Policy> Computer Configuration> windows Settings> Security Settings> Local Policy> User permission assignment" from the shortcut menu, and click "Access Computer From Network" on the right ", right-click "properties" to view users that are allowed to access remotely. By default, the guest user is disabled and has no permission to shut down this computer. First, enter the command "net user guest/active: yes" at the command prompt to enable the guest, click "add user or group" and enter "Guest" in the input Object Name dialog box. (Figure 8)

　　

Figure 8 Guest user authorization

Step 2: Find "Force Shutdown remotely" in "user permission assignment" in the current Group Policy console window and double-click the project. In the pop-up window, add the "guest" account and click "OK" in sequence, so that the guest has the permission to remotely close the computer. (Figure 9)

　　

Figure 9 shutdown permission (3). prevent password cracking

When your Windows Vista user password is not strong enough, it is easy for an invalid user to "Guess" the User Password multiple times.